This was a test on debian Jessie with sernet samba 4.2.3. and the test was, "login" with a AD user on ssh. this worked, fine, but this i noticed later. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] >Verzonden: woensdag 26 augustus 2015 20:39 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: Questions about Samba 4 > >On Wed, Aug 26, 2015 at 05:44:44PM +0200, L.P.H. van Belle wrote: >> ok, i cant make i crash. but i notice my cpu load. >> >> 17535 username 20 0 294852 13716 11520 R 100.0 1.3 >280:28.70 winbindd >> 542 username 20 0 291040 16720 14172 R 99.6 1.6 >281:45.88 winbindd >> >> and the funny thing.. this user isnt logged in anymore since >the last 6 hours. >What is the exact environment this is running on? > >Thanks, > >Volker > >-- >SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen >phone: +49-551-370000-0, fax: +49-551-370000-9 >AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen >http://www.sernet.de, mailto:kontakt at sernet.de > >
On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:> This was a test on debian Jessie with sernet samba 4.2.3. > and the test was, "login" with a AD user on ssh. > this worked, fine, but this i noticed later.Just for my easier install, so that I don't have to try both: What processor architecture? AMD64 or i386? Thanks, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
This was a amd64 install on a Xen 6.5 server. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] >Verzonden: donderdag 27 augustus 2015 09:00 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: Questions about Samba 4 > >On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote: >> This was a test on debian Jessie with sernet samba 4.2.3. >> and the test was, "login" with a AD user on ssh. >> this worked, fine, but this i noticed later. > >Just for my easier install, so that I don't have to try >both: What processor architecture? AMD64 or i386? > >Thanks, > >Volker Lendecke > >-- >SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen >phone: +49-551-370000-0, fax: +49-551-370000-9 >AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen >http://www.sernet.de, mailto:kontakt at sernet.de > >
On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:> This was a test on debian Jessie with sernet samba 4.2.3. > and the test was, "login" with a AD user on ssh. > this worked, fine, but this i noticed later.Ok. Installed 64-bit jessie in kvm. sernet samba 4.2.3. Got it to PAM auth an AD test user with and without krb5_auth=yes. Expired that user. Got the expected error messages. But no spinning winbind. Next step: Please send me all relevant configuration files. smb.conf, PAM configuration. And then please also a debug level 10 log of winbind leading to the spinning process so that I can make sure I get the same sequence of events. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:> This was a test on debian Jessie with sernet samba 4.2.3. > and the test was, "login" with a AD user on ssh. > this worked, fine, but this i noticed later.Ok, got more information. But I am still not able to reproduce it. Unless someone would be willing to give a developer root login to such a box (which I see as pretty unlikely) I think I have done what I could and have to leave this to the real experts like Simo or Andrew Bartlett. winbind according to all my information seems to spin somewhere deep in the kinit code. Sorry, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de
On 28/08/15 09:20, Volker Lendecke wrote:> On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote: >> This was a test on debian Jessie with sernet samba 4.2.3. >> and the test was, "login" with a AD user on ssh. >> this worked, fine, but this i noticed later. > Ok, got more information. But I am still not able to > reproduce it. Unless someone would be willing to give a > developer root login to such a box (which I see as pretty > unlikely) I think I have done what I could and have to leave > this to the real experts like Simo or Andrew Bartlett. > winbind according to all my information seems to spin > somewhere deep in the kinit code. > > Sorry, > > Volker >Hi Volker, it seems pretty easy to reproduce, just throw up a test DC in a VM, create a user and set the password to need to be changed at next login. Now create a member server in another VM and join this to the DC. now open three terminals, ssh into the member server as root from one and start 'top' , ssh into the member server as root from another and finally attempt to ssh into the member server as the user you created from the last one. Now watch the 'top' running in the other terminal, it should show winbind using 100% CPU (or very close to it) at this point go to the open root terminal and run gdb. I can easily reproduce it on an X86_64 machine running Samba Version 4.2.3-SerNet-Debian-7.wheezy I get this from gdb: (gdb) bt #0 0x00007f6449c6cf19 in ?? () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007f644ae45e43 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so #2 0x00007f644e25fc36 in krb5_get_init_creds_password () from /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26 #3 0x00007f644ae460ff in kerberos_kinit_password_ext () from /usr/lib/x86_64-linux-gnu/samba/libgse-samba4.so #4 0x00007f64519fde1d in kerberos_return_pac () #5 0x00007f6451a1cb5f in winbindd_dual_pam_auth () #6 0x00007f6451a319c4 in ?? () #7 0x00007f644f32c741 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #8 0x00007f644f32a9fb in ?? () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #9 0x00007f644f327381 in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #10 0x00007f6451a34a6f in ?? () #11 0x00007f6451a34bd7 in ?? () #12 0x00007f644f327d38 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #13 0x00007f644f327be5 in tevent_common_loop_immediate () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #14 0x00007f644f32c48a in ?? () ---Type <return> to continue, or q <return> to quit--- from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #15 0x00007f644f32a9fb in ?? () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #16 0x00007f644f327381 in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0 #17 0x00007f6451a0d319 in main () (gdb) But of course, this is probably me trying to teach my granny to suck eggs :-) Rowland
On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote:> This was a test on debian Jessie with sernet samba 4.2.3. > and the test was, "login" with a AD user on ssh. > this worked, fine, but this i noticed later.Currently recompiling with the attached patch. I haven't tested it yet, but I am pretty sure this will fix the issue. For everyone interested, the comment should be pretty self-explaining. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de -------------- next part --------------
On 28/08/15 11:48, Volker Lendecke wrote:> On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote: >> This was a test on debian Jessie with sernet samba 4.2.3. >> and the test was, "login" with a AD user on ssh. >> this worked, fine, but this i noticed later. > Currently recompiling with the attached patch. I haven't > tested it yet, but I am pretty sure this will fix the issue. > > For everyone interested, the comment should be pretty > self-explaining. > > Volker > > >OK, after reading Volkers patch, I got the feeling that the problem wasn't actually a samba problem, so I went googling. If I change these lines in /etc/ssh/sshd_config: ChallengeResponseAuthentication no #PasswordAuthentication yes To: ChallengeResponseAuthentication yes PasswordAuthentication yes restart ssh: 'service ssh restart' on Debian wheezy Now try and login via ssh: root at dc01:~# ssh user3 at 192.168.0.196 Password: Password expired. You must change it now. Enter new password: Enter it again: Warning: Your password will expire in 42 days on Fri Oct 9 13:30:25 2015 Linux debclient 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Aug 28 13:23:32 2015 from dc01.example.com user3 at debclient:~$ No spinning winbind PID Have I found the cure ? Rowland
Rowland, if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy for sshd includes pam_unix, password authentication will be allowed through the challenge-response mechanism regardless of the value of PasswordAuthentication. source. http://www.unixlore.net/articles/five-minutes-to-more-secure-ssh.html start reading as of : Details on PAM Authentication but a good find, maybe Volker can use this info also. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: vrijdag 28 augustus 2015 14:39 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: Questions about Samba 4 > >On 28/08/15 11:48, Volker Lendecke wrote: >> On Thu, Aug 27, 2015 at 08:17:15AM +0200, L.P.H. van Belle wrote: >>> This was a test on debian Jessie with sernet samba 4.2.3. >>> and the test was, "login" with a AD user on ssh. >>> this worked, fine, but this i noticed later. >> Currently recompiling with the attached patch. I haven't >> tested it yet, but I am pretty sure this will fix the issue. >> >> For everyone interested, the comment should be pretty >> self-explaining. >> >> Volker >> >> >> > >OK, after reading Volkers patch, I got the feeling that the problem >wasn't actually a samba problem, so I went googling. > >If I change these lines in /etc/ssh/sshd_config: > >ChallengeResponseAuthentication no >#PasswordAuthentication yes > >To: > >ChallengeResponseAuthentication yes >PasswordAuthentication yes > >restart ssh: 'service ssh restart' on Debian wheezy > >Now try and login via ssh: > >root at dc01:~# ssh user3 at 192.168.0.196 >Password: >Password expired. You must change it now. >Enter new password: >Enter it again: >Warning: Your password will expire in 42 days on Fri Oct 9 >13:30:25 2015 >Linux debclient 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64 > >The programs included with the Debian GNU/Linux system are >free software; >the exact distribution terms for each program are described in the >individual files in /usr/share/doc/*/copyright. > >Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent >permitted by applicable law. >Last login: Fri Aug 28 13:23:32 2015 from dc01.example.com >user3 at debclient:~$ > >No spinning winbind PID > >Have I found the cure ? > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >